THE WannaCry ransomware attack on computer systems in 150 countries in 2017 put patients’ lives at risk after ambulances were diverted and surgeries cancelled. The United Kingdom’s National Health Service was among those affected by the attack.
Since then, there have been many cyberattacks in the United States leading to ambulance diversions.
The frequency of cyberattacks on US hospitals and health systems more than doubled from 2016 to 2021. The health industry was the third-largest target for cyberattacks in 2023, after the education and government sectors.
Cyberattacks on Indian health systems were second-highest in the world.
One of the largest data hacks in Indian history this year spotlit the security of personal health data, especially as the sector becomes increasingly digitised.
Security and privacy concerns lie at the crux of information systems research.
As more healthcare providers rely on the internet, cyber threats such as data theft become more of a risk.
Online patient portals which enable individuals to view medical test results, download data, engage with medical professionals, and schedule visits are prone to cyberattacks.
Privacy risks are obvious, but these breaches also have a strong financial impact on healthcare enterprises and loss of customer trust.
Even if the notion of absolute privacy is unattainable, healthcare providers should define where an individual’s privacy may be compromised to maintain credibility and attract future patients.
While secondary information use is both widespread and legal, it can be considered an invasion of privacy when it occurs without the knowledge or consent of the consumer.
Laws on digital data
An important concern is whether consumers have a choice to allow their medical information to be digitised or if they may change their attitudes toward opting in for electronic health records maintenance by hospitals.
Nations around the world have been grappling with this issue.
The European Union shared a proposal in data governance to adopt a wider definition of data sharing in 2021 after receiving 449 contributions from 32 countries.
The US’ Hippa (Health Insurance Portability and Accountability Act) privacy rule gives individuals rights for their protected health information, provides coordinated care, and enables patients’ access to test reports but does not deal with the patient’s right to foresee the secondary use of their shared information per se.
The UK’s health information laws grant protection against improper access, disclosure, or loss of patient personal health information along with legitimate reason to view the same.
German digital health laws and regulations proclaim doctor-patient confidentiality, and the informed and explicit consent of patients to transfer data legally. French laws elaborate specifically on healthcare information technology and prohibit the sale of identifiable patient health data.
Indian healthcare data privacy laws need to keep up with these global policy proceedings to strengthen its data breach legislation and bestow security in health access to the population.
India’s Digital Personal Data Protection Act has not been notified yet, after being passed in parliament in August. It does not delve into data breaches involving cyberterrorism, third-party leakage, or individual and organisational loss of credibility.
Outsourcing security protection can give rise to system interdependence risks to a managed security service provider, making information security systems vulnerable to cyberattacks.
Broader security policies needed
Privacy in the digital domain is an important agenda for policymakers. The extent of data theft, data sharing and accessibility has significant bearing on cyber policies. The development of automated detection systems using a design science approach for combating fake websites can enhance online security.
As consumers become more concerned about their privacy, it will be imperative for healthcare firms to adopt privacy protection and security policies to protect against cyber threats.
For India, with over one billion people with access to the internet, individual home computer users represent a significant point of weakness in achieving secure cyber infrastructure.
In order to secure individuals’ security of personal data, security policies should provide a broader description of electronic presence, identifiability, awareness of logging, awareness of audit which would substantially reduce intentions to commit access policy violations.
With a lack of regulation by the government, the onus falls to the individual to ensure their devices are safe from hackers.
If individuals need to make choices online for their healthcare needs, then security policies need to consider user personalisation preferences to provide them with customised security solutions which should find a clear mention in the security policies of the public and private healthcare enterprises.
If the security policies incorporate a common set of values incorporating anonymity, secrecy, confidentiality, and control, then the possibility of cyber threat can be controlled and managed to a large extent.
The ultimate responsibility lies with the State to enhance cybersecurity readiness. A robust data security framework built upon privacy preferences, information disclosure norms, systems privacy settings, institutional data governance policies and stakeholders’ credibility index score could prove helpful in restoring the trust deficit in digitised healthcare systems. – The Vibes, December 17, 2023.
Dr Vijayetta Sharma is associate professor of public policy at the Manav Rachna International Institute of Research and Studies, India. Her research areas are healthcare, information systems and governance. She specialises in public policy and management.
Published under Creative Commons and in partnership with 360info.org.
